b'Appendix 2 GAI Terms of Use Checklist To assist with choosing appropriate third-party managed GAI tools, we prepared the following checklist. This is intended to help identify and evaluate important contractual protections, but should not be interpreted as a mandatory or exhaustive set of requirements. No Model Training: Neither the model provider nor any integrated application provider may use customer data to develop or improve its services without explicit, written customer consent. Purpose Limitation: Use of customer data should be limited to providing the services, complying with applicable law, enforcing provider policies, and preventing abuse. These purposes may be further limited where Zero Data Retention is enabled. Data Retention: Customer data must be permanently deleted from the providers servers within a reasonable period after it is deleted from the user interface, or after account termination, except where retention is required by law. Data Isolation: Where higher degrees of data isolation are critical for the type of data being processed, the contract should address the specific isolation requirements for both the application and the transformer model. Data Residency: Where specific geographic hosting location is critical for the type of data being processed, the contract should specify the permitted data processing jurisdictions and include any applicable supplemental provisions (e.g. a Data Processing Addendum). User Anonymity: Where anonymous GAI inputs are critical to user privacy, the provider must ensure API requests do not include identifiable client or firm information. Compliance with Privacy Laws: Provider must comply with all privacy laws applicable to the data, customer, and clients. BreachNotification:Providersshouldclearlyagreetoprovidetimelybreachnotification requirements and specify their incident response obligations. Risk Management: The application must be developed, deployed, and maintained in accordance with recognized information security frameworks (such as SOC 2, ISO 27001, CSA STAR) and AI risk management frameworks (e.g., NIST AI RMF, OWASP GenAI Security Project). The provider should publish or provide supporting documentation demonstrating compliance. Third-Party Access Controls: Define and limit third-party access rights and include an obligation of the primary provider to bind downstream third parties to all relevant data management obligations. Supplementary Agreements: Explore the availability of a Data Processing Addendum for personal dataprocessingoraHIPAAbusinessassociateagreementwhenrequiredforprotectedhealth information. The specific protections to include will depend on the type of data being processed, applicable regulations, and the lawyers professional obligations in the given context.Page | 37'